Cisco Community
English
Register
Change to content subject titles: starting July 28 there is a limit on the number of characters to use - LEARN MORE HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
623
Views
0
Helpful
3
Replies
Jeff Horton
Beginner
Beginner
‎06-23-2020 10:16 AM
‎06-23-2020 10:16 AM

MACsec vs IPsec/GRE

Does the MACsec sufficiently encrypt data (multicast, .etc) on the Cisco 9000 series switch so that I don't have to worry about deploying GRE/IPsec?

 

Thoughts?

 

 

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Reza Sharifi
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert
‎06-23-2020 01:00 PM
‎06-23-2020 01:00 PM

GRE/IPsec is usually used for connecting multiple sites together over the Internet (WAN connection). On the other hand, MACsec is for host to switch encryption or between switches. So, two different functions.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

HTH 

 

View solution in original post

0 Helpful
3 REPLIES 3
Reza Sharifi
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert
‎06-23-2020 01:00 PM
‎06-23-2020 01:00 PM

GRE/IPsec is usually used for connecting multiple sites together over the Internet (WAN connection). On the other hand, MACsec is for host to switch encryption or between switches. So, two different functions.

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/sec/b_166_sec_9300_cg/macsec_encryption.html

HTH 

 

View solution in original post

0 Helpful
Jeff Horton
Beginner
Beginner
In response to Reza Sharifi
‎06-23-2020 01:40 PM
‎06-23-2020 01:40 PM

So if I read correctly what you are saying, then MACsec would be good for the switch to switch connection and no need for GRE/IPsec?

0 Helpful
Reza Sharifi
Hall of Fame Expert Hall of Fame Expert
Hall of Fame Expert
In response to Jeff Horton
‎06-23-2020 02:25 PM
‎06-23-2020 02:25 PM

So if I read correctly what you are saying, then MACsec would be good for the switch to switch connection and no need for GRE/IPsec?

That is correct.

HTH

0 Helpful
Latest Contents
RFC 5243 Database Exchange Summary Optimization OSPF
Created by meddane on 07-31-2021 10:43 AM
0
0
0
0
To optimize the database description (DBD) packet exchange between two OSPF neighbors, use the compatible rfc5243 in router configuration mode or address family configuration mode for OSPFv3 AF. To disable RFC5243 optimization, use the no form of this com... view more
Why and How Type-3 and Type-4 LSAs are used as loop preventi...
Created by meddane on 07-31-2021 10:39 AM
0
0
0
0
We said always that OSPF is a link-state routing protocol.For most engineer stuying CCNA or CCNP, OSPF is misunsdertanding.In reality, OSPF is a link-state routing protocol only within an area (intra-area); but almost a distance-vector routing protocol be... view more
OSPF IS-IS comparison
Created by meddane on 07-31-2021 10:32 AM
0
0
0
0
A brief difference between ISIS and OSPF link state protocolsISIS and OSPF belongs to the same routing protocol family Link State, but if you study the two routing protocols, you will find several differences, in this article you will get the answer about... view more
Why we need OSPF Type-2 LSA in a broadcast network
Created by meddane on 07-30-2021 11:07 AM
0
5
0
5
The OSPF Type-2 LSA is one of the misunderstanding LSA among all the popular LSAs in OSPF , most people learns that this kind of LSA (Type-2) is generated by DR the Designated Router in a broadcast segment, for example when two or more than two routers ar... view more
Configuring RADIUS over DTLS with Cat9k and ISE 3.0
Created by Tim Glen on 07-29-2021 09:15 AM
0
15
0
15
Table of Contents Problem Summary RADIUS has been the de-facto protocol for Remote Access Authentication for decades.  RADIUS/UDP as defined by RFC 2865 has traditionally used MD5 for authentication and integrity. Unfortunately, successful attacks ... view more
Content for Community-Ad